- name: Set up those proxy websites.  My, my..
  hosts: proxies_stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  tasks:
  - name: Create /srv/web/ for all the goodies.
    file: dest=/srv/web state=directory owner=root group=root mode=0755
    tags:
    - httpd
    - httpd/website

  - name: check the selinux context of webdir
    command: matchpathcon /srv/web
    register: webdir
    check_mode: no
    changed_when: "1 != 1"
    tags:
    - config
    - selinux
    - httpd
    - httpd/website

  - name: /srv/web file contexts
    command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
    when: webdir.stdout.find('httpd_sys_content_t') == -1
    tags:
    - config
    - selinux
    - httpd
    - httpd/website

  roles:

  - role: httpd/website
    site_name: fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    server_aliases:
    - stg.fedoraproject.org
    - localhost
    - www.fedoraproject.org
    - hotspot-nocache.fedoraproject.org

  # This is for all the other domains we own
  # that redirect to https://fedoraproject.org
  - role: httpd/website
    site_name: fedoraproject.com
    cert_name: "{{wildcard_cert_name}}"
    server_aliases:
    - epel.io
    - fedp.org
    - fedora.asia
    - fedora.com.my
    - fedora.cr
    - fedora.events
    - fedora.me
    - fedora.mobi
    - fedora.my
    - fedora.org
    - fedora.org.cn
    - fedora.pe
    - fedora.pt
    - fedora.redhat.com
    - fedora.software
    - fedora.tk
    - fedora.us
    - fedora.wiki
    - fedoralinux.com
    - fedoralinux.net
    - fedoralinux.org
    - fedoraproject.asia
    - fedoraproject.cn
    - fedoraproject.co.uk
    - fedoraproject.com
    - fedoraproject.com.cn
    - fedoraproject.com.gr
    - fedoraproject.com.my
    - fedoraproject.cz
    - fedoraproject.eu
    - fedoraproject.gr
    - fedoraproject.info
    - fedoraproject.net
    - fedoraproject.net.cn
    - fedoraproject.org.uk
    - fedoraproject.pe
    - fedoraproject.su
    - projectofedora.org
    - www.fedora.asia
    - www.fedora.com.my
    - www.fedora.cr
    - www.fedora.events
    - www.fedora.me
    - www.fedora.mobi
    - www.fedora.org
    - www.fedora.org.cn
    - www.fedora.pe
    - www.fedora.pt
    - www.fedora.redhat.com
    - www.fedora.software
    - www.fedora.tk
    - www.fedora.us
    - www.fedora.wiki
    - www.fedoralinux.com
    - www.fedoralinux.net
    - www.fedoralinux.org
    - www.fedoraproject.asia
    - www.fedoraproject.cn
    - www.fedoraproject.co.uk
    - www.fedoraproject.com
    - www.fedoraproject.com.cn
    - www.fedoraproject.com.gr
    - www.fedoraproject.com.my
    - www.fedoraproject.cz
    - www.fedoraproject.eu
    - www.fedoraproject.gr
    - www.fedoraproject.info
    - www.fedoraproject.net
    - www.fedoraproject.net.cn
    - www.fedoraproject.org.uk
    - www.fedoraproject.pe
    - www.fedoraproject.su
    - www.projectofedora.org
    - www.getfedora.com
    - getfedora.com
    - fedoraplayground.org
    - fedoraplayground.com

  - role: httpd/website
    site_name: admin.fedoraproject.org
    server_aliases: [admin.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: cloud.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: mirrors.fedoraproject.org
    server_aliases:
    - mirrors.stg.fedoraproject.org
    - fedoramirror.net
    - www.fedoramirror.net
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: mirrors.centos.org
    sslonly: true
    certbot: true
    tags: mirrors.centos.org
    when: env != "staging"

  - role: httpd/website
    site_name: mirrors.stg.centos.org
    sslonly: true
    certbot: true
    tags: mirrors.stg.centos.org
    when: env == "staging"

  - role: httpd/website
    site_name: src.fedoraproject.org
    server_aliases: [src.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    sslonly: true
    use_h2: true
    tags: src.fedoraproject.org

  - role: httpd/website
    site_name: download.fedoraproject.org
    server_aliases:
    - download01.fedoraproject.org
    - download02.fedoraproject.org
    - download03.fedoraproject.org
    - download04.fedoraproject.org
    - download05.fedoraproject.org
    - download06.fedoraproject.org
    - download07.fedoraproject.org
    - download08.fedoraproject.org
    - download09.fedoraproject.org
    - download10.fedoraproject.org
    - download-rdu01.fedoraproject.org
    - download.stg.fedoraproject.org
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: translate.fedoraproject.org
    server_aliases: [translate.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: pki.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: spins.fedoraproject.org
    server_aliases:
    - spins.stg.fedoraproject.org
    - spins-test.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: labs.fedoraproject.org
    server_aliases:
    - labs.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: arm.fedoraproject.org
    server_aliases:
    - arm.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: iot.fedoraproject.org
    server_aliases:
    - iot.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: budget.fedoraproject.org
    server_aliases:
    - budget.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: boot.fedoraproject.org
    server_aliases: [boot.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: keys.fedoraproject.org
    server_aliases: [keys.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: testdays.fedoraproject.org
    server_aliases: [testdays.qa.fedoraproject.org, testdays.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: testdays

  - role: httpd/website
    site_name: packager-dashboard.fedoraproject.org
    server_aliases: [packager-dashboard.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: packager-dashboard

  - role: httpd/website
    site_name: smolts.org
    ssl: false
    server_aliases:
    - smolt.fedoraproject.org
    - stg.smolts.org
    - www.smolts.org
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: docs.fedoraproject.org
    server_aliases:
    - doc.fedoraproject.org
    - docs.stg.fedoraproject.org
    sslonly: true
    gzip: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: docs-old.fedoraproject.org
    server_aliases:
    - docs-old.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: bodhi.fedoraproject.org
    sslonly: true
    server_aliases: [bodhi.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: "accounts{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags:
      - noggin

  - role: httpd/website
    site_name: "fasjson{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags:
      - fasjson

  - role: httpd/website
    site_name: "coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: true
    tags:
    - coreos.fedoraproject.org
    when: env == "staging"

  - role: httpd/website
    site_name: "updates.coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: true
    tags:
    - updates.coreos.fedoraproject.org

  - role: httpd/website
    site_name: "status.updates.coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: true
    tags:
    - status.updates.coreos.fedoraproject.org

  - role: httpd/website
    site_name: "raw-updates.coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: true
    tags:
    - raw-updates.coreos.fedoraproject.org

  - role: httpd/website
    site_name: "status.raw-updates.coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: true
    tags:
    - status.raw-updates.coreos.fedoraproject.org

  - role: httpd/website
    site_name: "builds.coreos{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    certbot: false
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - builds.coreos.fedoraproject.org

  - role: httpd/website
    site_name: caiapi.fedoraproject.org
    sslonly: true
    server_aliases: [caiapi.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: caiapi
    when: env == "staging"

  - role: httpd/website
    site_name: ostree.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: ostree

  - role: httpd/website
    site_name: flocktofedora.org
    server_aliases:
    - flocktofedora.org
    - www.flocktofedora.org
    ssl: true
    sslonly: true
    certbot: true
    when: env == "production"

  - role: httpd/website
    site_name: flocktofedora.net
    server_aliases:
    - flocktofedora.com
    - www.flocktofedora.net
    - www.flocktofedora.com
    ssl: false

  - role: httpd/website
    site_name: fedora.my
    server_aliases:
    - fedora.my
    ssl: false

  - role: httpd/website
    site_name: copr.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: copr

  - role: httpd/website
    site_name: bugz.fedoraproject.org
    server_aliases: [bugz.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: fas.fedoraproject.org
    server_aliases:
    - fas.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: fedoracommunity.org
    server_aliases:
    - www.fedoracommunity.org
    - stg.fedoracommunity.org
    # - fedoraproject.community
    # - fedora.community
    # - www.fedora.community
    # - www.fedoraproject.community
    sslonly: true
    certbot: true
    tags: fedoracommunity

  - role: httpd/website
    site_name: get.fedoraproject.org
    server_aliases: [get.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: help.fedoraproject.org
    server_aliases: [help.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: it.fedoracommunity.org
    server_aliases: [it.fedoracommunity.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: uk.fedoracommunity.org
    server_aliases:
    - uk.fedoracommunity.org
    - www.uk.fedoracommunity.org
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: tw.fedoracommunity.org
    server_aliases:
    - tw.fedoracommunity.org
    - www.tw.fedoracommunity.org
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: people.fedoraproject.org
    server_aliases: [people.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: join.fedoraproject.org
    server_aliases: [join.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: l10n.fedoraproject.org
    server_aliases: [l10n.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: start.fedoraproject.org
    server_aliases: [start.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: kde.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: nightly.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: store.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: port389.org
    server_aliases:
    - www.port389.org
    - 389tcp.org
    - www.389tcp.org
    ssl: false
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: transtats.fedoraproject.org
    sslonly: true
    server_aliases: [transtats.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - transtats

  - role: httpd/website
    site_name: whatcanidoforfedora.org
    server_aliases:
    - www.whatcanidoforfedora.org
    - stg.whatcanidoforfedora.org
    ssl: true
    sslonly: true
    certbot: true
    tags:
    - whatcanidoforfedora.org

  - role: httpd/website
    site_name: k12linux.org
    server_aliases:
    - www.k12linux.org
    ssl: false
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: fonts.fedoraproject.org
    server_aliases: [fonts.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: meetbot.fedoraproject.org
    server_aliases: [meetbot.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: meetbot-raw.fedoraproject.org
    server_aliases: [meetbot-raw.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: fudcon.fedoraproject.org
    server_aliases: [fudcon.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: ask.fedoraproject.org
    server_aliases: [ask.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: askbot.fedoraproject.org
    server_aliases: [askbot.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: badges.fedoraproject.org
    server_aliases: [badges.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: paste.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: coreos.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env == "production"
    tags:
    - coreos.fedoraproject.org


#
# Make a website here so we can redirect it to paste.fedoraproject.org
#
#  - role: httpd/website
#    site_name: fpaste.org
#    certbot: true
#    server_aliases:
#    - www.fpaste.org
#    tags:
#    - fpaste.org
#    when: env == "production"

  - role: httpd/website
    site_name: koji.fedoraproject.org
    sslonly: true
    server_aliases:
    - koji.stg.fedoraproject.org
    - kojipkgs.stg.fedoraproject.org
    - buildsys.fedoraproject.org
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: kojipkgs.fedoraproject.org
    sslonly: true
    server_aliases:
    - kojipkgs01.fedoraproject.org
    - kojipkgs02.fedoraproject.org
    cert_name: "{{wildcard_cert_name}}"
    use_h2: false
    tags:
    - kojipkgs.fedoraproject.org

  - role: httpd/website
    site_name: apps.fedoraproject.org
    server_aliases: [apps.stg.fedoraproject.org]
    sslonly: true
    gzip: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: pdc.fedoraproject.org
    server_aliases: [pdc.stg.fedoraproject.org]
    sslonly: true
    gzip: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: developer.fedoraproject.org
    server_aliases: [developer.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  # This is just a redirect to developer, to make it easier for people to get
  # here from Red Hat's developers.redhat.com (ticket #5216).
  - role: httpd/website
    site_name: developers.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: fedoraloveskde.org
    server_aliases: [stg.fedoraloveskde.org]
    sslonly: true
    certbot: true
    tags:
    - fedoraloveskde

  - role: httpd/website
    site_name: osbs.fedoraproject.org
    server_aliases: [osbs.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: "provision{{ env_suffix }}.fedoraproject.org"
    # Zezere needs non-HTTPS for netboot
    sslonly: false
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - zezere

  - role: httpd/website
    site_name: os.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - os.fedoraproject.org

  - role: httpd/website
    site_name: app.os.fedoraproject.org
    server_aliases: ["*.app.os.fedoraproject.org"]
    sslonly: true
    cert_name: "{{os_wildcard_cert_name}}"
    SSLCertificateChainFile: "{{os_wildcard_int_file}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - app.os.fedoraproject.org

  - role: httpd/website
    site_name: os.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - os.stg.fedoraproject.org

  - role: httpd/website
    site_name: app.os.stg.fedoraproject.org
    server_aliases: ["*.app.os.stg.fedoraproject.org"]
    sslonly: true
    cert_name: "{{os_wildcard_cert_name}}"
    SSLCertificateChainFile: "{{os_wildcard_int_file}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - app.os.stg.fedoraproject.org

  - role: httpd/website
    site_name: ocp.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - ocp.stg.fedoraproject.org
    when: env == "staging"

  - role: httpd/website
    site_name: apps.ocp.stg.fedoraproject.org
    server_aliases: ["*.apps.ocp.stg.fedoraproject.org", api.apps.ocp.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{ocp_wildcard_cert_name}}"
    SSLCertificateChainFile: "{{ocp_wildcard_int_file}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - apps.ocp.stg.fedoraproject.org
    when: env == "staging"

  - role: httpd/website
    site_name: ocp.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - ocp.fedoraproject.org
    when: env == "production"

  - role: httpd/website
    site_name: apps.ocp.fedoraproject.org
    server_aliases: ["*.apps.ocp.fedoraproject.org", api.apps.ocp.fedoraproject.org]
    sslonly: true
    cert_name: "{{ocp_wildcard_cert_name}}"
    SSLCertificateChainFile: "{{ocp_wildcard_int_file}}"
    # The Connection and Upgrade headers don't work for h2
    # So non-h2 is needed to fix websockets.
    use_h2: false
    tags:
    - apps.ocp.fedoraproject.org
    when: env == "production"

  - role: httpd/website
    site_name: registry.fedoraproject.org
    server_aliases: [registry.stg.fedoraproject.org registry-no-cdn.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: registry.centos.org
    server_aliases: [registry.stg.centos.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: candidate-registry.fedoraproject.org
    server_aliases: [candidate-registry.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: retrace.fedoraproject.org
    server_aliases: [retrace.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env == "staging"

  - role: httpd/website
    site_name: faf.fedoraproject.org
    server_aliases: [faf.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env == "staging"

  - role: httpd/website
    site_name: alt.fedoraproject.org
    server_aliases:
    - alt.stg.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  # Kinda silly that we have two entries here, one for prod and one for stg.
  # This is inherited from our puppet setup -- we can collapse them as soon as
  # is convenient.  -- threebean
  - role: httpd/website
    site_name: taskotron.fedoraproject.org
    server_aliases: [taskotron.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: taskotron.stg.fedoraproject.org
    server_aliases: [taskotron.stg.fedoraproject.org]
    # Set this explicitly to stg here.. as per the original puppet config.
    SSLCertificateChainFile: wildcard-2022.stg.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env == "staging"

  - role: httpd/website
    site_name: resultsdb.stg.fedoraproject.org
    server_aliases: [resultsdb.stg.fedoraproject.org]
    # Set this explicitly to stg here.. as per the original puppet config.
    SSLCertificateChainFile: wildcard-2022.stg.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env == "staging"
    tags: resultsdb

  - role: httpd/website
    site_name: resultsdb.fedoraproject.org
    server_aliases: [resultsdb.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    when: env != "staging"
    tags: resultsdb

  - role: httpd/website
    site_name: lists.fedoraproject.org
    server_aliases: [lists.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: lists.fedorahosted.org
    server_aliases:
      - lists.stg.fedorahosted.org
    sslonly: true
    certbot: true
    tags: fedorahosted

  - role: httpd/website
    site_name: "id{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    stssubdomains: false
    tags:
    - id.fedoraproject.org

  - role: httpd/website
    site_name: "sso{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - sso.fedoraproject.org

  - role: httpd/website
    site_name: username.id.fedoraproject.org
    server_aliases:
    - "*.id.fedoraproject.org"
    # Must not be sslonly, because example.id.fedoraproject.org must be reachable
    # via plain http for openid identity support
    sslonly: false
    cert_name: wildcard-2022.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2022.id.fedoraproject.org.intermediate.cert
    tags:
    - id.fedoraproject.org
    when: env == "production"

  - role: httpd/website
    site_name: username.id.stg.fedoraproject.org
    server_aliases:
    - "*.id.stg.fedoraproject.org"
    # Must not be sslonly, because example.id.fedoraproject.org must be reachable
    # via plain http for openid identity support
    sslonly: false
    cert_name: "{{wildcard_cert_name}}"
    SSLCertificateChainFile: wildcard-2022.stg.fedoraproject.org.intermediate.cert
    tags:
    - id.fedoraproject.org
    when: env == "staging"

  - role: httpd/website
    site_name: getfedora.org
    server_aliases: [stg.getfedora.org]
    sslonly: true
    cert_name: getfedora.org
    SSLCertificateChainFile: getfedora.org.intermediate.cert
    tags:
    - getfedora.org

  - role: httpd/website
    site_name: qa.fedoraproject.org
    server_aliases: [qa.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    sslonly: true

  - role: httpd/website
    site_name: openqa.fedoraproject.org
    cert_name: "{{wildcard_cert_name}}"
    server_aliases: [openqa.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    site_name: redirect.fedoraproject.org
    server_aliases: [redirect.stg.fedoraproject.org]
    sslonly: true
    gzip: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: geoip.fedoraproject.org
    server_aliases: [geoip.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: codecs.fedoraproject.org
    server_aliases: [codecs.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: jenkins.fedorainfracloud.org
    cert_name: jenkins.fedorainfracloud.org
    certbot: true
    when: env == "production"

  - role: httpd/website
    site_name: testdays.fedorainfracloud.org
    cert_name: testdays.fedorainfracloud.org
    certbot: true
    when: env == "production"
    tags: testdays-fic

  - role: httpd/website
    site_name: data-analysis.fedoraproject.org
    server_aliases: [data-analysis.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: data-analysis

  - role: httpd/website
    site_name: nagios.fedoraproject.org
    server_aliases: [nagios.stg.fedoraproject.org]
    SSLCertificateChainFile: wildcard-2022.fedoraproject.org.intermediate.cert
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: zabbix.stg.fedoraproject.org
    sslonly: true
    #server_aliases: [zabbix.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: zabbix
    when: env == "staging"

  - role: httpd/website
    site_name: mbs.fedoraproject.org
    sslonly: true
    server_aliases: [mbs.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: odcs.fedoraproject.org
    sslonly: true
    server_aliases: [odcs.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: odcs

  - role: httpd/website
    site_name: greenwave.fedoraproject.org
    sslonly: true
    server_aliases: [greenwave.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: koschei.fedoraproject.org
    sslonly: true
    server_aliases: [koschei.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: koschei

  - role: httpd/website
    site_name: message-tagging-service.fedoraproject.org
    sslonly: true
    server_aliases: [message-tagging-service.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: message-tagging-service

  - role: httpd/website
    site_name: waiverdb.fedoraproject.org
    sslonly: true
    server_aliases: [waiverdb.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: silverblue.fedoraproject.org
    sslonly: true
    server_aliases: [silverblue.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: kinoite.fedoraproject.org
    sslonly: true
    server_aliases: [kinoite.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - kinoite

  - role: httpd/website
    site_name: release-monitoring.org
    sslonly: true
    certbot: true
    tags:
    - release-monitoring.org
    when: env == "production"

  - role: httpd/website
    site_name: stg.release-monitoring.org
    sslonly: true
    certbot: true
    tags:
    - release-monitoring.org
    when: env == "staging"

  - role: httpd/website
    site_name: lists.pagure.io
    sslonly: true
    certbot: true
    tags:
    - lists.pagure.io
    when: env == "production"

  - role: httpd/website
    site_name: "languages{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: languages

  - role: httpd/website
    site_name: neuro.fedoraproject.org
    sslonly: true
    server_aliases: [neuro.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: neuro

  - role: httpd/website
    site_name: elections.fedoraproject.org
    sslonly: true
    server_aliases: [elections.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: elections

  - role: httpd/website
    site_name: wallpapers.fedoraproject.org
    sslonly: true
    server_aliases: [wallpapers.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: wallpapers

  - role: httpd/website
    site_name: mdapi.fedoraproject.org
    sslonly: true
    server_aliases: [mdapi.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: mdapi

  - role: httpd/website
    site_name: debuginfod.fedoraproject.org
    sslonly: true
    server_aliases: [debuginfod.stg.fedoraproject.org]
    x_forward: true
    cert_name: "{{wildcard_cert_name}}"
    gzip: true
    tags: debuginfod

  - role: httpd/website
    site_name: calendar.fedoraproject.org
    sslonly: true
    server_aliases: [calendar.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: calendar

  - role: httpd/website
    site_name: kerneltest.fedoraproject.org
    sslonly: true
    server_aliases: [kerneltest.stg.fedoraproject.org]
    cert_name: "{{wildcard_cert_name}}"
    tags: kerneltest

# fedorahosted is retired. We have the site here so we can redirect it.

  - role: httpd/website
    site_name: fedorahosted.org
    sslonly: true
    server_aliases:
      - git.fedorahosted.org
      - bzr.fedorahosted.org
      - hg.fedorahosted.org
      - svn.fedorahosted.org
    certbot: true
    tags: fedorahosted
    when: env == "production"

# planet.fedoraproject.org is not to be used, it's fedoraplanet.org
# We only have it here so we can redirect it with the correct cert

  - role: httpd/website
    site_name: planet.fedoraproject.org
    cert_name: "{{wildcard_cert_name}}"

# pkgs.fp.o will be an alias of src.fp.o once we get everyone over to https
# git push/pull. For now, we just want a cert via the certbot system.

  - role: httpd/website
    site_name: pkgs.fedoraproject.org
    ssl: true
    sslonly: true
    certbot: true
    certbot_addhost: pkgs01.iad2.fedoraproject.org
    tags:
    - pkgs.fedoraproject.org
    when: env == "production" and "iad2" in inventory_hostname

  - role: httpd/website
    site_name: pkgs.stg.fedoraproject.org
    ssl: true
    sslonly: true
    certbot: true
    certbot_addhost: pkgs01.stg.iad2.fedoraproject.org
    tags:
    - pkgs.fedoraproject.org
    when: env == "staging" and "iad2" in inventory_hostname

# Askbeta -> ask redirects
  - role: httpd/website
    site_name: askbeta.fedoraproject.org
    ssl: true
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags:
    - askbeta.fedoraproject.org


#
# We setup this site for old ols papers
# This used to be on fedorapeople.org, but a new 'ols' user showed up, so
# that no longer works.
#
  - role: httpd/website
    site_name: ols.fedoraproject.org
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: packages.fedoraproject.org
    server_aliases: [packages.stg.fedoraproject.org]
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"

  - role: httpd/website
    site_name: "discourse2fedmsg{{ env_suffix }}.fedoraproject.org"
    sslonly: true
    cert_name: "{{wildcard_cert_name}}"
    tags: discourse2fedmsg

  - role: httpd/website
    site_name: fedora.im
    server_aliases: [stg.fedora.im]
    sslonly: true
    certbot: true
    tags:
    - fedora.im

  - role: httpd/website
    site_name: ipsilon-project.org
    cert_name: ipsilon-project.org
    server_aliases:
    - ipsilon-project.org
    - www.ipsilon-project.org
    ssl: true
    sslonly: true
    certbot: true
    tags:
    - ipsilon-website
